After integrating LDAP Authentication in jBPM, I am getting this error when I access Manage from jbpm-console:
Attention
Execution Server Unavailable
There is currently no server connected.
on console I am constantly getting this error:
19:35:09,678 INFO [org.kie.server.controller.websocket.client.WebSocketKieServerControllerImpl] (KieServer-ControllerConnect) Kie Server points to non Web Socket controller 'http://localhost:8080/jbpm-console/rest/controller', using default REST mechanism
19:35:10,501 WARN [org.kie.server.services.impl.controller.DefaultRestControllerImpl] (KieServer-ControllerConnect) Exception encountered while syncing with controller at http://localhost:8080/jbpm-console/rest/controller/server/sample-server error Error while sending PUT request to http://localhost:8080/jbpm-console/rest/controller/server/sample-server response code 405
When I comment out LDAP login-module from standalone.xml, it works, but not with LDAP Enabled.
Versions used:
kie-server-7.29.0.Final-wildfly-14.0.1.Final
jbpm-console-7.29.0.Final-wildfly-14.0.1.Final
jbpm-casemgmt-7.29.0.Final-wildfly-14.0.1.Final
Used jbpm-installer-7.29.0.Final to build and start the Wildfly server.
For access to KIE Execution Server you need to have user with role 'kie-server'. I had same case. Adding user 'kieserver' with role 'kie-server'
solved my problem. Documentation of KIE Execution Server https://docs.jboss.org/drools/release/6.2.0.Final/drools-docs/html/ch19.html
org.kie.workbench.controller: The URL used to connect to the jBPM
controller, for example,
ws://localhost:8080/kie-server-controller/websocket/controller.
org.kie.workbench.controller.user: The jBPM controller user. Default
value: kieserver.
org.kie.workbench.controller.pwd: The jBPM controller password.
Default value: kieserver1!.
I got the same error when trying to configure jbpm to use DB authentication:
Exception encountered while syncing with controller at http://localhost:8080/business-central/rest/controller/server/sample-server error Error while sending PUT request to http://.... response code 405
The jbpm version that i'm using is: jbpm-server-7.47.0.Final-dist.zip (released at Dec 4, 2020)
In the DB, i have already setup user "admin" with password "admin" that contains the "kie-server" role.
And in the standalone.xml, i also added following system properties to define the user name and password to connect to the kie server and controller:
<property name="org.kie.server.user" value="admin"/>
<property name="org.kie.server.pwd" value="admin"/>
<property name="org.kie.server.controller.user" value="admin"/>
<property name="org.kie.server.controller.pwd" value="admin"/>
Even though startup the server with the mentioned error, the kie server can startup successfully. I tried to use the 'admin' user to access the kie-server REST API (e.g. GET http://localhost:8080/kie-server/services/rest/server) without any problem. I also tried to login to the business central with the 'admin' user and also successful.
But the problem still remain the same that there is no server available for kjar deployment.
Resolution
It took me several days to figure out that its the configuration issue in the standalone.xml file.
In the standalone.xml, there are by default provided a set of system properties with name is "kie.keystore.key.*". These attributes are used to retrieve the password value from the a keystore file (e.g. jBPMKeystore.jceks in the configuration folder). By checking the source code of DefaultRestControllerImpl.java, the logic is to first load the password from the keystore file and if there is problem, it will then retrieve the password from the system property: org.kie.server.controller.pwd
So, what we need to do is to comment out / remove the system properties "kie.keystore.*" inside the <system-properties> tag:
<!--
<property name="kie.keystore.keyStoreURL" value="file:///${jboss.server.config.dir}/jBPMKeystore.jceks"/>
<property name="kie.keystore.keyStorePwd" value="jBPMKeyStorePassword"/>
<property name="kie.keystore.key.server.alias" value="jBPMAlias"/>
<property name="kie.keystore.key.server.pwd" value="jBPMKeyPassword"/>
<property name="kie.keystore.key.ctrl.alias" value="jBPMAlias"/>
<property name="kie.keystore.key.ctrl.pwd" value="jBPMKeyPassword"/>
-->
Related
I am developing a JavaEE application that needs to access a LDAP server. The access to the LDAP server is used to authenticate users at the login page AND in some features inside the application (custom searchs and listings).
For the authentication part, I am using JAAS so I can use the basic LDAP login module, with its own configuration, or a custom login module. But I don't want to configure the LDAP parameters twice, one in the standalone.xml for the login module, and one inside the application (properties file, or in a table in the database) to be able to use it to implement the required features. The ideal case would be to configure only once in the standalone.xml file and use that configuration for both the login module and the application.
Does JBoss (EAP 6) have some kind of "custom resource" wich can be configured in the standalone.xml and be accessed with JNDI? Is there another solution that allows me to configure only once the LDAP connection parameters, and use that configuration from multiple places?
Thanks.
I already resolved it.
What I did is to define a new binding of type external-context: in the standalone.xml file, inside the "urn:jboss:domain:naming" subsystem, I declared the context:
<bindings>
<external-context name="java:global/..." module="org.jboss.as.naming" class="javax.naming.directory.InitialDirContext" cache="true">
<environment>
<property name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<property name="java.naming.provider.url" value="ldap://...:389"/>
<property name="java.naming.security.authentication" value="simple"/>
<property name="java.naming.security.principal" value="cn=..."/>
<property name="java.naming.security.credentials" value="..."/>
</environment>
</external-context>
</bindings>
Then, I can use that context wherever I need:
try {
Context initContext = new InitialContext();
InitialDirContext ldapContext = (InitialDirContext)initContext.lookup("java:global/...");
// Connection OK!
}catch(Exception ex) {
// Connection failure!
}
The drawback of this solution is that I can't use the ldap login module included with JBoss, because it does not let me use the context. So, I will have to develop a custom login module.
I'm trying to integrate CAS server with IdentityServer3 (CAS acting as a Open ID Client).
Following the guides, I updated the cas.properties and changed the following:
```
cas.pac4j.oidc.id=clientid
cas.pac4j.oidc.secret=secret
cas.pac4j.oidc.discoveryUri=https://IdentityServer3/.well-known/openid-configuration
```
I also update the pom.xml file and added pac4j-oidc dependency (not sure if it was needed but it was missing initially)
Now when I access the CAS login page I can see the Oidc long link but the URL is invalid:
https://localhost:8433/cas/login?client_name=OidcClient&needs_client_redirection=true
I was expecting to automatically discover the IdentityServer URL from the discovery document. Is there anything else I need to do?
I also tried adding the following bean to the pac4jContext.xml file:
```
<bean id="oidc1" class="org.pac4j.oidc.client.OidcClient">
<property name="id" value="clientid" />
<property name="secret" value="secret" />
<property name="discoveryUri" value="https://IdentityServer3/.well-known/openid-configuration" />
</bean>
```
When I do this the CAS server is not working anymore (I get a 404 when trying to access it via Tomcat)
Java is not my first language so I'm not sure if I'm missing something obvious but I would really appreciate some help with this.
I have an issue as follows:
Assume I have been login success on Cas sever.
I open browser and access to liferay. Liferay can't not auto login. If want login I must click button login on liferay, liferay will redirect to Cas server. Cas server see user have login and send back to liferay.
Thank you!
You have to have these lines in your portal-ext.properties
# CAS Configuration
cas.auth.enabled=true
cas.import.from.ldap=false
cas.login.url=https://localhost:8443/cas-web/login
.logout.url=https://localhost:8443/cas-web/logout
cas.server.name=localhost:8080
cas.server.url=https://localhost:8443/cas-web
#cas.service.url=http://localhost:8080/c/portal/login
cas.logout.on.session.expiration=false
cas.validate.url=https://localhost:8443/cas-web/proxyValidate
auto.login.hooks=com.liferay.portal.security.auth.CASAutoLogin
These lines let you redirect fine between your localhost and your CAS server.
You have to have another file called deployerConfigcontext.xml. In this file you have to define the next bean and list of registered services to let your cas server go to your localhost and use the generated ticket.
Bean:
<bean id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"
p:registeredServices-ref="registeredServicesList" />
List of registered services:
<util:list id="registeredServicesList">
<bean class="org.jasig.cas.services.RegexRegisteredService"
p:id="1"
p:name="jason web application"
p:serviceId="^(https?|imaps?|http?)://.*"
p:evaluationOrder="0" />
</util:list>
I also have several lines in the cas.properties file...maybe you need them too:
cas.securityContext.serviceProperties.service=http://localhost:8080/cas-web/services/j_acegi_cas_security_check
cas.securityContext.serviceProperties.adminRoles=ROLE_ADMIN cas.securityContext.casProcessingFilterEntryPoint.loginUrl=http://localhost:8080/cas-web/login
cas.securityContext.ticketValidator.casServerUrlPrefix=http://localhost:8080/cas-web
cas.viewResolver.basename=default_views
Files path:
%CATALINA_HOME%\webapps\cas-web\WEB-INF\cas.properties
%CATALINA_HOME%\webapps\cas-web\WEB-INF\deployerConfigContext.xml
%CATALINA_HOME%\portal-ext.properties
I have a Spring 4.1.1 web application. Currently the datasource password is stored in a property file, in clear. Configuration is:
<bean id="mainDataSource"
class="com.mchange.v2.c3p0.ComboPooledDataSource"
scope="singleton"
destroy-method="close">
<property name="driverClass"><value>${jdbc.driver}</value></property>
<property name="jdbcUrl"><value>${jdbc.url}</value></property>
<property name="user"><value>${jdbc.username}</value></property>
<property name="password"><value>${jdbc.password}</value></property>
.
.
.
</bean>
My client doesn't want the password to be stored in a property file or, more in general, in the server.
The ideal would be to have Spring show a secure webpage to enter the database password.
The big problem is that I need access to the db to initialize the context and pretty much everything needed for the application to work. So the question is:
Is it possible to have Spring display a web page prior to context initialization, so that the user can enter the datasource password? Perhaps through a filter or something?
Please note to have the password encrypted in the property file or to have it passed as a parameter at Tomcat startup won't do, as it wouldn't be much different than having it in the property file, as regard to security.
What I ended up doing was to set the database password into an environment variable, use the variable inside the spring configuration files, and then delete the variable after startup. This worked and seems to make the client happy.
To read the environment variable in spring_db.xml us this expression, if you have Spring 3.0 and above:
<property name="password"><value>#{systemEnvironment['variable_name']}</value></property>
Could you please tell me how we can provide encrypted password in the JNDI configuration and how we can decrypt that in the SPRING. In spring,
I see that we have to configure the datasource using
<bean id="DatabaseName" class="org.springframework.jndi.JndiObjectFactoryBean">
<property name="jndiName" value="java:comp/env/jdbc/DatabaseName"/>
</bean>
but how we can override & decrypt the password in this, could you please help me
Thanks
Vivek
Your problem really has little to do with Spring - it is more like "How do I hide the database password".
One of the best methods is to create a datasource manually from the J2EE console. Weblogic and IBM Websphere support this, and automatically obfusticate the password. Your program then asks the container for a database connection, and need not supply the password. (There is an assumption that if you have deployment rights to the server, then you can connect freely to the server's datasources).
Tomcat is a bit more problematical. The datasource will be specified in ../conf/context.xml, and the password will be in plaintext. You need to use Unix file permissions to keep out those who should not know the password.
This answer How to hide database password in config file shows that this is a non-trivial problem.